Why JavaScript is bad and Pale Moon need a XSS filter again

General discussion and chat (archived)
dark_moon

Why JavaScript is bad and Pale Moon need a XSS filter again

Unread post by dark_moon » 2017-09-03, 17:56

Cross-Site Scripting #3 Bad JavaScript Imports Vulnerability: http://blog.securelayer7.net/owasp-top- ... t-imports/

Nice comments on reddit too: https://www.reddit.com/r/netsec/comment ... t_imports/

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Unread post by Moonchild » 2017-09-03, 18:05

JavaScript is not bad. Improper use of it is bad.
This is also not a browser issue but a web design issue.

Also, if you want to reintroduce the active XSS filter, then feel free to step right up and port the code forward to Pale Moon 27.
For all other uses, we have CORS and CSP to nip any XSS in the bud.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
adesh
Board Warrior
Board Warrior
Posts: 1277
Joined: 2017-06-06, 07:38

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Unread post by adesh » 2017-09-03, 18:36

FTR, NoScript provides XSS protection if you need it.

Latitude

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Unread post by Latitude » 2017-10-09, 14:57

So, XSS technique could be used to reach a good purpose?

millpond

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Unread post by millpond » 2017-10-11, 23:03

Latitude wrote:So, XSS technique could be used to reach a good purpose?
Please define 'good'.

Personally I have a tendency to blacklist sites that cannot even maintain their own code. I believe the term for that is 'incompetent'.

The excuse that a site needs to cache similar code for multiple sites is a bit lame.
Becuase in reality, that code is typically annoying advertizing junk.

The arguments against it are more potent: How would you like to have your site break, because another site has went down.
I have seen this happen with jquery code that relied on a third party server (though JQuery itself does not suffer this problem - it downloads its scripts locally).

If site A needs to transfer control over to site B, as a website may do for PayPal, there should ALWAYS be a confirmation button.

From a users perspective, if I go to site A, and I am assuming it has earned my trust, I certainly do not want content from site B, which is usually an unknown entity. I have my blockers amped up to full throttle on this. My hosts file is over a meg.

At today's bandwith the few extra milliseconds for xferring needed scripts over should be inconsequential for a well designed site. And problematic for sites offering nothing but garbage requring excessive and atrocious multimedia effects-usually to get extra ratings for advertizing revenue, rather than for user benefits.

struppi
Hobby Astronomer
Hobby Astronomer
Posts: 28
Joined: 2016-11-30, 08:28

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Unread post by struppi » 2017-11-09, 06:53

I am great Fan of Javascript but I use JS filter since the beginning because of useless and annoying effects. The best protection against those attacks is uMatrix.

You can allow or forbid everything from every single URL (and even every URL different on different pages). And everything means cookies, javascript, css, images, frames, XHR, Media and "other". For experience user I recommend this AddOn

Locked